RubyGems - itsi-server - Versions diffs - 0.1.1 → 0.1.13 - Mend

itsi-server 0.1.1 → 0.1.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of itsi-server might be problematic. Click here for more details.

Files changed (143) hide show

data/ext/itsi_server/src/server/middleware_stack/middlewares/grpc_service.rs ADDED Viewed

@@ -0,0 +1,72 @@
+use super::MiddlewareLayer;
+use crate::{
+    ruby_types::itsi_grpc_request::ItsiGrpcRequest,
+    server::{
+        itsi_service::RequestContext,
+        types::{HttpRequest, HttpResponse},
+    },
+};
+use async_trait::async_trait;
+use derive_more::Debug;
+use either::Either;
+use http::StatusCode;
+use itsi_rb_helpers::{HeapVal, HeapValue};
+use magnus::{block::Proc, error::Result, value::ReprValue, Symbol, Value};
+use std::sync::Arc;
+#[derive(Debug)]
+pub struct GrpcService {
+    service: Arc<HeapValue<Proc>>,
+    adapter: Value, // Ruby CustomGrpcAdapter object
+}
+impl GrpcService {
+    pub fn from_value(params: HeapVal) -> magnus::error::Result<Self> {
+        let service = params.funcall::<_, _, Proc>(Symbol::new("[]"), ("service_proc",))?;
+        let adapter = params.funcall::<_, _, Value>(Symbol::new("[]"), ("adapter",))?;
+        Ok(GrpcService {
+            service: Arc::new(service.into()),
+            adapter,
+        })
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for GrpcService {
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut RequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Extract gRPC method and service names from the path
+        let path = req.uri().path();
+        let parts: Vec<&str> = path.split('/').filter(|s| !s.is_empty()).collect();
+        if parts.len() < 2 {
+            return Ok(Either::Right(HttpResponse::new(StatusCode::BAD_REQUEST)));
+        }
+        let service_name = parts[0].to_string();
+        let method_name = parts[1].to_string();
+        // Get RPC descriptor from the adapter
+        let rpc_desc = self.adapter.funcall::<_, _, Option<Value>>(
+            "get_rpc_desc",
+            (service_name.clone(), method_name.clone()),
+        )?;
+        // Create gRPC request and process it
+        let (grpc_req, _) = ItsiGrpcRequest::new(
+            req,
+            context,
+            method_name,
+            service_name,
+            rpc_desc,
+        ).await;
+        grpc_req
+            .process(context.ruby(), self.service.clone())
+            .map_err(|e| e.into())
+            .map(|_| Either::Right(HttpResponse::new(StatusCode::OK)))
+    }
+}

data/ext/itsi_server/src/server/middleware_stack/middlewares/header_interpretation.rs ADDED Viewed

@@ -0,0 +1,85 @@
+use http::{header::GetAll, HeaderValue};
+/// Given a list of header values (which may be comma-separated and may have quality parameters)
+/// and a list of supported items (each supported item is a full value or a prefix ending with '*'),
+/// return Some(supported_item) for the first supported item that matches any header value, or None.
+pub fn find_first_supported<'a, I>(
+    header_values: &http::header::GetAll<http::HeaderValue>,
+    supported: I,
+) -> Option<&'a str>
+where
+    I: IntoIterator<Item = &'a str> + Clone,
+{
+    // best candidate: (quality, supported_index, candidate)
+    let mut best: Option<(f32, usize, &'a str)> = None;
+    for value in header_values.iter() {
+        if let Ok(s) = value.to_str() {
+            for token in s.split(',') {
+                let token = token.trim();
+                if token.is_empty() {
+                    continue;
+                }
+                let mut parts = token.split(';');
+                let enc = parts.next()?.trim();
+                if enc.is_empty() {
+                    continue;
+                }
+                let quality = parts
+                    .find_map(|p| {
+                        let p = p.trim();
+                        if let Some(q_str) = p.strip_prefix("q=") {
+                            q_str.parse::<f32>().ok()
+                        } else {
+                            None
+                        }
+                    })
+                    .unwrap_or(1.0);
+                // For each supported encoding, iterate over a clone of the iterable.
+                for (i, supp) in supported.clone().into_iter().enumerate() {
+                    let is_match = if supp == "*" {
+                        true
+                    } else if let Some(prefix) = supp.strip_suffix('*') {
+                        enc.starts_with(prefix)
+                    } else {
+                        enc.eq_ignore_ascii_case(supp)
+                    };
+                    if is_match {
+                        best = match best {
+                            Some((best_q, best_idx, _))
+                                if quality > best_q || (quality == best_q && i < best_idx) =>
+                            {
+                                Some((quality, i, supp))
+                            }
+                            None => Some((quality, i, supp)),
+                            _ => best,
+                        };
+                    }
+                }
+            }
+        }
+    }
+    best.map(|(_, _, candidate)| candidate)
+}
+pub fn header_contains(header_values: &GetAll<HeaderValue>, needle: &str) -> bool {
+    if needle == "*" {
+        return true;
+    }
+    let mut headers = header_values
+        .iter()
+        .flat_map(|value| value.to_str().unwrap_or("").split(','))
+        .map(|s| s.trim().split(';').next().unwrap_or(""))
+        .filter(|s| !s.is_empty());
+    let needle_lower = needle;
+    if needle.ends_with('*') {
+        let prefix = &needle_lower[..needle_lower.len() - 1];
+        headers.any(|h| h.starts_with(prefix))
+    } else {
+        headers.any(|h| h == needle_lower)
+    }
+}

data/ext/itsi_server/src/server/middleware_stack/middlewares/intrusion_protection.rs ADDED Viewed

@@ -0,0 +1,195 @@
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+use crate::server::{
+    itsi_service::RequestContext,
+    rate_limiter::{get_ban_manager, get_rate_limiter, BanManager, RateLimiter, RateLimiterConfig},
+    types::{HttpRequest, HttpResponse, RequestExt},
+};
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use regex::RegexSet;
+use serde::Deserialize;
+use std::time::Duration;
+use std::{
+    collections::HashMap,
+    sync::{Arc, OnceLock},
+};
+#[derive(Debug, Clone, Deserialize)]
+pub struct IntrusionProtection {
+    #[serde(skip_deserializing)]
+    pub banned_url_pattern_matcher: OnceLock<RegexSet>,
+    #[serde(default)]
+    pub banned_url_patterns: Vec<String>,
+    #[serde(skip_deserializing)]
+    pub banned_header_pattern_matchers: OnceLock<HashMap<String, RegexSet>>,
+    #[serde(default)]
+    pub banned_header_patterns: HashMap<String, Vec<String>>,
+    pub banned_time_seconds: u64,
+    #[serde(skip_deserializing)]
+    pub rate_limiter: OnceLock<Arc<dyn RateLimiter>>,
+    #[serde(skip_deserializing)]
+    pub ban_manager: OnceLock<BanManager>,
+    pub store_config: RateLimiterConfig,
+    pub error_response: ErrorResponse,
+}
+#[async_trait]
+impl MiddlewareLayer for IntrusionProtection {
+    async fn initialize(&self) -> Result<()> {
+        // Initialize regex matchers for URL patterns
+        if !self.banned_url_patterns.is_empty() {
+            match RegexSet::new(&self.banned_url_patterns) {
+                Ok(regex_set) => {
+                    let _ = self.banned_url_pattern_matcher.set(regex_set);
+                }
+                Err(e) => {
+                    error!("Failed to compile URL regex patterns: {:?}", e);
+                }
+            }
+        }
+        // Initialize regex matchers for header patterns
+        if !self.banned_header_patterns.is_empty() {
+            let mut header_matchers = HashMap::new();
+            for (header_name, patterns) in &self.banned_header_patterns {
+                if !patterns.is_empty() {
+                    match RegexSet::new(patterns) {
+                        Ok(regex_set) => {
+                            header_matchers.insert(header_name.clone(), regex_set);
+                        }
+                        Err(e) => {
+                            error!(
+                                "Failed to compile header regex patterns for {}: {:?}",
+                                header_name, e
+                            );
+                        }
+                    }
+                }
+            }
+            let _ = self.banned_header_pattern_matchers.set(header_matchers);
+        }
+        // Initialize rate limiter (used for tracking bans)
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(limiter) = get_rate_limiter(&self.store_config).await {
+            let _ = self.rate_limiter.set(limiter);
+        }
+        // Initialize ban manager
+        // This will automatically fall back to in-memory if Redis fails
+        if let Ok(manager) = get_ban_manager(&self.store_config).await {
+            let _ = self.ban_manager.set(manager);
+        }
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut RequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        // Get client IP address from context's service
+        let client_ip = &context.addr;
+        // Check if the IP is already banned
+        if let Some(ban_manager) = self.ban_manager.get() {
+            match ban_manager.is_banned(client_ip).await {
+                Ok(Some(reason)) => {
+                    info!("Request from banned IP {}: {}", client_ip, reason);
+                    return Ok(Either::Right(
+                        self.error_response.to_http_response(&req).await,
+                    ));
+                }
+                Err(e) => {
+                    error!("Error checking IP ban status: {:?}", e);
+                    // Continue processing - fail open
+                }
+                _ => {
+                    // Not banned, continue with intrusion checks
+                }
+            }
+        } else {
+            warn!("No ban manager available for intrusion protection");
+        }
+        // Check for banned URL patterns
+        if let Some(url_matcher) = self.banned_url_pattern_matcher.get() {
+            let path = req.uri().path_and_query().map(|p| p.as_str()).unwrap_or("");
+            info!("Checking URL pattern match for {}", path);
+            if url_matcher.is_match(path) {
+                info!("Intrusion detected: URL pattern match for {}", path);
+                // Ban the IP address if possible
+                if let Some(ban_manager) = self.ban_manager.get() {
+                    match ban_manager
+                        .ban_ip(
+                            client_ip,
+                            &format!("Banned URL pattern detected: {}", path),
+                            Duration::from_secs(self.banned_time_seconds),
+                        )
+                        .await
+                    {
+                        Ok(_) => info!(
+                            "Successfully banned IP {} for {} seconds",
+                            client_ip, self.banned_time_seconds
+                        ),
+                        Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                    }
+                }
+                // Always return the error response even if banning failed
+                return Ok(Either::Right(
+                    self.error_response.to_http_response(&req).await,
+                ));
+            }
+        }
+        // Check for banned header patterns
+        if let Some(header_matchers) = self.banned_header_pattern_matchers.get() {
+            for (header_name, pattern_set) in header_matchers {
+                if let Some(header_value) = req.header(header_name) {
+                    if pattern_set.is_match(header_value) {
+                        info!(
+                            "Intrusion detected: Header pattern match for {} in header {}",
+                            header_value, header_name
+                        );
+                        // Ban the IP address if possible
+                        if let Some(ban_manager) = self.ban_manager.get() {
+                            match ban_manager
+                                .ban_ip(
+                                    client_ip,
+                                    &format!(
+                                        "Banned header pattern detected: {} in {}",
+                                        header_value, header_name
+                                    ),
+                                    Duration::from_secs(self.banned_time_seconds),
+                                )
+                                .await
+                            {
+                                Ok(_) => info!(
+                                    "Successfully banned IP {} for {} seconds",
+                                    client_ip, self.banned_time_seconds
+                                ),
+                                Err(e) => error!("Failed to ban IP {}: {:?}", client_ip, e),
+                            }
+                        }
+                        // Always return the error response even if banning failed
+                        return Ok(Either::Right(
+                            self.error_response.to_http_response(&req).await,
+                        ));
+                    }
+                }
+            }
+        }
+        // No intrusion detected
+        Ok(Either::Left(req))
+    }
+}
+impl FromValue for IntrusionProtection {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/log_requests.rs ADDED Viewed

@@ -0,0 +1,82 @@
+use async_trait::async_trait;
+use either::Either;
+use itsi_tracing::*;
+use magnus::error::Result;
+use serde::Deserialize;
+use crate::server::itsi_service::RequestContext;
+use crate::server::types::{HttpRequest, HttpResponse};
+use super::string_rewrite::StringRewrite;
+use super::{FromValue, MiddlewareLayer};
+/// Logging middleware for HTTP requests and responses
+///
+/// Supports customizable log formats with placeholders
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogRequests {
+    pub before: Option<LogConfig>,
+    pub after: Option<LogConfig>,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub struct LogConfig {
+    level: LogMiddlewareLevel,
+    format: StringRewrite,
+}
+#[derive(Debug, Clone, Deserialize)]
+pub enum LogMiddlewareLevel {
+    #[serde(rename(deserialize = "INFO"))]
+    Info,
+    #[serde(rename(deserialize = "TRACE"))]
+    Trace,
+    #[serde(rename(deserialize = "DEBUG"))]
+    Debug,
+    #[serde(rename(deserialize = "WARN"))]
+    Warn,
+    #[serde(rename(deserialize = "ERROR"))]
+    Error,
+}
+impl LogMiddlewareLevel {
+    pub fn log(&self, message: String) {
+        match self {
+            LogMiddlewareLevel::Trace => trace!(message),
+            LogMiddlewareLevel::Debug => debug!(message),
+            LogMiddlewareLevel::Info => info!(message),
+            LogMiddlewareLevel::Warn => warn!(message),
+            LogMiddlewareLevel::Error => error!(message),
+        }
+    }
+}
+#[async_trait]
+impl MiddlewareLayer for LogRequests {
+    async fn initialize(&self) -> Result<()> {
+        Ok(())
+    }
+    async fn before(
+        &self,
+        req: HttpRequest,
+        context: &mut RequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        context.track_start_time();
+        if let Some(LogConfig { level, format }) = self.before.as_ref() {
+            level.log(format.rewrite_request(&req, context));
+        }
+        Ok(Either::Left(req))
+    }
+    async fn after(&self, resp: HttpResponse, context: &mut RequestContext) -> HttpResponse {
+        if let Some(LogConfig { level, format }) = self.after.as_ref() {
+            level.log(format.rewrite_response(&resp, context));
+        }
+        resp
+    }
+}
+impl FromValue for LogRequests {}

data/ext/itsi_server/src/server/middleware_stack/middlewares/mod.rs ADDED Viewed

@@ -0,0 +1,82 @@
+mod allow_list;
+mod auth_api_key;
+mod auth_basic;
+mod auth_jwt;
+mod cache_control;
+mod compression;
+mod cors;
+mod deny_list;
+mod error_response;
+mod etag;
+mod header_interpretation;
+mod intrusion_protection;
+mod log_requests;
+mod proxy;
+mod rate_limit;
+mod redirect;
+mod request_headers;
+mod response_headers;
+mod ruby_app;
+mod static_assets;
+mod string_rewrite;
+mod token_source;
+pub use allow_list::AllowList;
+use async_trait::async_trait;
+pub use auth_api_key::AuthAPIKey;
+pub use auth_basic::AuthBasic;
+pub use auth_jwt::AuthJwt;
+pub use cache_control::CacheControl;
+pub use compression::Compression;
+pub use compression::CompressionAlgorithm;
+pub use cors::Cors;
+pub use deny_list::DenyList;
+use either::Either;
+pub use error_response::ErrorResponse;
+pub use etag::ETag;
+pub use intrusion_protection::IntrusionProtection;
+pub use log_requests::LogRequests;
+use magnus::error::Result;
+use magnus::Value;
+pub use proxy::Proxy;
+pub use rate_limit::RateLimit;
+pub use redirect::Redirect;
+pub use request_headers::RequestHeaders;
+pub use response_headers::ResponseHeaders;
+pub use ruby_app::RubyApp;
+use serde::Deserialize;
+use serde_magnus::deserialize;
+pub use static_assets::StaticAssets;
+use crate::server::itsi_service::RequestContext;
+use crate::server::types::{HttpRequest, HttpResponse};
+pub trait FromValue: Sized + Send + Sync + 'static {
+    fn from_value(value: Value) -> Result<Self>
+    where
+        Self: Deserialize<'static>,
+    {
+        deserialize(value)
+    }
+}
+#[async_trait]
+pub trait MiddlewareLayer: Sized + Send + Sync + 'static {
+    /// Called just once, to initialize the middleware state.
+    async fn initialize(&self) -> Result<()> {
+        Ok(())
+    }
+    /// The "before" hook. By default, it passes through the request.
+    async fn before(
+        &self,
+        req: HttpRequest,
+        _context: &mut RequestContext,
+    ) -> Result<Either<HttpRequest, HttpResponse>> {
+        Ok(Either::Left(req))
+    }
+    /// The "after" hook. By default, it passes through the response.
+    async fn after(&self, resp: HttpResponse, _context: &mut RequestContext) -> HttpResponse {
+        resp
+    }
+}